The General Data Protection Regulation (GDPR) sets out the circumstances in which it does not apply at all, as well as a range of exemptions and derogations that apply within its scope. Article 2(2) defines the primary exclusions, clarifying that the Regulation does not apply to processing of personal data in the course of an activity falling outside the scope of Union law, by Member States when carrying out activities under Chapter 2 of Title V of the Treaty on European Union, by a natural person in the course of a purely personal or household activity, or by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. The latter activities are instead regulated by Directive (EU) 2016/680, the Law Enforcement Directive.

Beyond these scope exclusions, the GDPR contains specific exemptions and derogations that modify how its obligations and data subject rights apply in certain contexts. Article 85 requires Member States to reconcile the right to data protection with the right to freedom of expression and information, allowing exemptions for processing carried out for journalistic, academic, artistic, or literary purposes. Article 86 permits the disclosure of personal data in official documents by public authorities if this aligns with laws governing public access to official records. Article 88 authorises Member States to establish specific rules for the processing of personal data in the employment context, taking account of the rights and obligations of employers and employees.

Article 23 allows national laws to restrict the scope of certain obligations and rights under the Regulation where such restrictions are necessary and proportionate to safeguard key public interests. These include national security, defence, public security, the prevention or investigation of criminal offences, other important objectives of general public interest, and the protection of judicial independence. Articles 89(1) and 89(2) create exemptions for processing undertaken for archiving purposes in the public interest, scientific or historical research, or statistical purposes, provided appropriate safeguards such as pseudonymisation are implemented. Under these conditions, some data subject rights, including access, rectification, restriction, and portability, may be limited if exercising them would seriously impair the research or statistical objectives.

Further, Article 55(3) and Recital 20 provide that supervisory authorities are not competent to oversee processing by courts acting in their judicial capacity, ensuring judicial independence. The GDPR also contains a framework of conditional exemptions concerning special categories of data under Article 9(2), which may be processed in limited circumstances such as explicit consent, employment or social protection law, vital interests, legal claims, public health, or scientific research. Together, these provisions establish that while the GDPR applies broadly, it recognises the need for flexibility in contexts where competing rights or public interests must be balanced.